Deploying SPF

I think it is time to start pushing for everyone to adopt SPF. With AOL's announcement that they won't whitelist domains that don't publish by the end of the summer, there is major pressure on legitimate senders to publish SPF records. We can do the same by backing up AOL and doing the same for incoming mail to our servers.

We need to decide on a flag day. I vote for September 22, as it is the first day of Autumn in the US, and AOL said "by the end of summer". We would need a firm commitment by everyone to start filtering via SPF by that time. Those who want to can start giving negative scores to email that doesn't come from an SPF publisher.

A message needs to be sent out to everyone who does not publish SPF records. How do we identify them all? How do we send them all a message? Any ideas?

Finally, we need to come up with a message to send. It needs to be short, precise, and to the point. It needs to make sense for people whose only experience with the internet is the purchase of a domain name, and for those who have been here since before domain names were invented. It needs to strongly encourage the reader to publish SPF records. Either they do it out of fear of becoming irrelevant, or they do it out of a sense of duty to stop spam.

We'll need to translate this message to several languages. We can't expect all domain name owners to be fluent in English.

On Thu, 10 Jun 2004, Jonathan Gardner wrote: > > I think it is time to start pushing for everyone to adopt SPF. With AOL's > announcement that they won't whitelist domains that don't publish by the > end of the summer, there is major pressure on legitimate senders to publish > SPF records. We can do the same by backing up AOL and doing the same for > incoming mail to our servers. > > We need to decide on a flag day. I vote for September 22, as it is the first > day of Autumn in the US, and AOL said "by the end of summer". We would need > a firm commitment by everyone to start filtering via SPF by that time. > Those who want to can start giving negative scores to email that doesn't > come from an SPF publisher. > > A message needs to be sent out to everyone who does not publish SPF records. > How do we identify them all? How do we send them all a message? Any ideas? >

I think a "success story" from a large mail receiver will count a lot more than a message saying "We think you should ..."

What I would really like to see is some stats from large mail receivers (such as Pobox and AOL)

* Amount of mail coming in from SPF domains * Breakdown by percent spam/ham * Amount of mail coming in from non-SPF domains * Breakdown by percent spam/ham * Amount of mail from trusted forwarders * Amount of mail where best-guess results in Pass * Top 10 mail senders not using SPF

A success story is about the best thing for marketing. That is what we really want to write our press releases about :)

-- Greg Connor gconnor [at] nekodojo

Everyone says that having power is a great responsibility. This is a lot of bunk. Responsibility is when someone can blame you if something goes wrong. When you have power you are surrounded by people whose job it is to take the blame for your mistakes. If they're smart, that is. -- Cerebus, "On Governing"

On Thursday 10 June 2004 03:09 pm, Greg Connor wrote: > I think a "success story" from a large mail receiver will count a lot > more than a message saying "We think you should ..." > > What I would really like to see is some stats from large mail receivers > (such as Pobox and AOL) > > * Amount of mail coming in from SPF domains > * Breakdown by percent spam/ham > * Amount of mail coming in from non-SPF domains > * Breakdown by percent spam/ham > * Amount of mail from trusted forwarders > * Amount of mail where best-guess results in Pass > * Top 10 mail senders not using SPF > > A success story is about the best thing for marketing. That is what we > really want to write our press releases about :)

The carrot rather than the stick... good idea.

We should write a script that will parse mail server logs and summarize it daily into some statistics. Perhaps we can aggregate these statistics over the community and then present the result via a web page.

Does anyone have a script like that right now?

I think the following information will be enough to generate any kind of statistic we would want:

For each domain: 1. Whether the domain published SPF records. 2. The number of emails that PASS/FAIL/etc... 3. Of 2, the number you considered SPAM or HAM. 4. Of those that don't publish, the number that you considered SPAM or HAM.